Faced with mounting liability, rapidly escalating damage to consumers, and erosion of customer confidence in electronic payment systems, the Payment Card Industry (“PCI”) has developed a Data Security Standard (DSS) for businesses that store, process and/or transmit credit card data. Compliance requirements have been increasingly enforced and critical failures in maintaining compliance with the PCI DSS have resulted in significant penalties for both the processors and the merchants. Compliance with the PCI security standards is not optional for merchants that store, process and/or transmit sensitive credit card data. However, many merchants have found that achieving compliance with the PCI DSS in a distributed store environment to be complex and expensive.
As a result, credit card brands began focusing on the store system environment and point-of-sale (“POS”) systems as the entry point for most malicious attacks. These environments are vulnerable due to their remote locations, weakly defended networks, lack of local technical staff and often antiquated POS systems. Visa, the largest of the credit card associations, has recently focused on the store systems threat. Over 70% of the Data Security Alerts released on Visa's website from September 2006 to April 2009 address store systems vulnerabilities. Unfortunately, the introduction of PCI in the retail sector has been disruptive and meeting PCI requirements at the store systems level has proven challenging.
While individual stores may not represent a significant portion of a retailer's overall investment in Information Technology (IT) systems, the amount of credit card data processed there represents risk to both the merchant and the card association members. Some stores process fewer than 500 transactions per day but still qualify as the primary source of card processing risk for the merchant. Accordingly, the PCI data security requirements at the store environment may require a disproportionably high level investment in technical and physical controls when compared to existing measures of IT investment. However, such investment has become more appropriate due to the increased nature of the data risk and associated liability.
Traditional data security solutions for store environments typically require a “mini-data center” approach which involves multiple security devices and applications integrated in customized configurations. These security devices are expensive to deploy and difficult to manage in a widely distributed environment. Most stores do not maintain the skills to manage the operation of the devices and have little or no capability to prove effective ongoing operations required to meet audit requirements under the PCI standards.
The traditional approach for meeting the PCI standards will require both a large upfront capital and deployment cost, along with a large “total cost of ownership” associated with ongoing maintenance and operation of the solution. Moreover, reliability issues, which threaten retailers' ability to accept credit card transactions, are a significant concern at the store systems level. Most retailers can ill afford the time normally required to work out compatibility and configuration issues normally associated with integration efforts of custom systems.
As such, there is a need in the art for a cost effective system that protects cardholder data by protecting the devices that contain cardholder data, and a further need for devices and systems that can detect non-compliance with payment card industry standards.